Making HTTP requests via telnet

Dec 20, 2011 Published by Tony Primerano

Simple telnet HTTP requests

Using Telnet is a great way to learn about HTTP requests.

For example.. back in the 90s microsoft was running their sites on apache. Nowadays they are eating their own dog food.  ;-)

Here is a simple HEAD request to via telnet.

$ telnet 80
Connected to
Escape character is '^]'.

HTTP/1.1 301 Moved Permanently
Connection: close
Date: Thu, 12 Jul 2007 15:25:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 31
Content-Type: text/html
Cache-control: private

Connection closed by foreign host.

The command above was simple. HEAD / HTTP/1.0 followed by 2 line feeds.

The 80 specified in the telnet command is the port that you are hitting when you type in a browser. If another port is used you will see it after a colon. ex: hits the server running on port 8080. If there was one. :-)

When doing GET commands you usually end up sending headers with your command. You should always send the Host header (this isn't required for HTTP/1.0 but many servers are running multiple sites so you'll want to send this.)

Here's an example of a GET against my home page.

$ telnet 80
Connected to
Escape character is '^]'.
GET / HTTP/1.1

HTTP/1.1 200 OK
Date: Thu, 12 Jul 2007 16:10:02 GMT
Server: Apache/1.3.37 (Unix) mod_throttle/3.1.2 DAV/1.0.3 mod_fastcgi/2.4.2 mod_gzip/ PHP/4.4.7 mod_ssl/2.8.22 OpenSSL/0.9.7e
MS-Author-Via: DAV
Last-Modified: Wed, 11 Jul 2007 14:10:28 GMT
ETag: "19cf7aa-68d-4694e4d4"
Accept-Ranges: bytes
Content-Length: 1677
Content-Type: text/html


I spared you the full contents of my home page. Why did it return the entire page? Because we did a GET instead of HEAD.

Remembering all the headers you need can get tricky so I usually use [LiveHttpHeaders to get what I need and then I can make modifications for testing or scripting purposes.


Scripting telnet HTTP requests

I recently needed to hit several production servers that lived behind a VIP. I had access to the servers directly but their behavior was controlled by the host that they were called with so if I used the machine name I was out of luck. Also, port numbers in the request would throw it off. So I needed to send http requests directly to the server and lie about the hostname I was using to access them.

Here is a script file that I run and pipe into telnet.

echo "open $1 $2"
sleep 2
echo "GET $4 HTTP/1.0"
echo "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070515 Firefox/"
echo "Host: $3"
sleep 2

lets put this in a file called getpage and then we run the following

./getpage 80 /| telnet

ok. what did we just do?

  • getpage is sending commands on stdout and telnet is getting them via the pipe
    • getpage 1st tells telnet to open a connection to ($1) port 80 ($2).
    • getpage waits 2 seconds for the connection. Adjust as necessary.
    • getpage sends the request. GET / HTTP/1.0 and sets the host ($3) to
      • Note $4 is the resource to fetch and we set it to /.
      • I even threw in the user agent header for fun.
      • Those 2 empty echo statements are necessary to tell the server this is the end of the request.
    • Finally getpage sleeps for 2 seconds to allow time for the response to come back. Leave out this line and you'll get nada.
  • A photo of Bruce Bruce says:

    good post - that telnet scripting worked for me where manual telnet failed. dunno why, but I can proceed from here and experiment later! ;-)